IpSec - poor performance in one direction

  • Greetings all,

    I am running into an ipSec performance issue and cannot pin-point the cause.  I have two sites connected via ASA-5505 and pfSense 1.2.3-RELEASE using an ipSec tunnel.  The tunnel is active and we can ping/copy data between sites with no problem.  However, copying data from Site-A site to Site-B over the tunnel seems to be capped at 750Kb/sec while copying data from Site-B to Site-A copies at appropriate speeds (4Mbps up/down).  In addition, if I copy data form Site-A to Site-B without using the ipSec tunnel (sftp via NAT port forwarding on pfSense firewall), traffic copies at the appropriate speed.

    Whats strange is if I copy files from Site-B to Site-A outside the ipsec tunnel (port forward SSH), the data is copied at the appropriate speed.  So, it appears something is throttling the ipsec tunnel from Site-B to Site-A.  A crude picture looks like this:

    SITE-A                          Internet Cloud                        SITE-B
      /–----------------------\            /----------------\            /--------------------------
      |Sun-Server <--> ASA-5505 |<==========|== ipSEC TUNNEL ==|=========>|  pfSense <--> Sun-Server  |
      ------------------------/            ----------------/            --------------------------/

    So, in summary:

    • Site-A to Site-B via ipSec tunnel = slow

    • Site-B to Site-A via ipSec tunnel = fast

    • Site-A to Site-B outside ipSec tunnel = fast

    Any ideas?

  • Rebel Alliance Developer Netgate

    You can try tweaking the settings for scrub, and setting a lower MTU on the WAN, but what you are seeing is a fairly common complaint when hooking up to Cisco gear.

  • Thanks Jim.  What scrub settings should I look for?  I have done this exact config in the past and don't remember any speed-related issues like this.  Perhaps my ASA config needs to be tweaked slightly…

  • Rebel Alliance Developer Netgate

    Under System > Advanced there is a checkbox to disable/enable scrub.

  • Thanks, but that did not change anything.

    But, I did find something odd.  If I changed the WAN MTU to 1400 on the ASA, I can no longer copy large files from the ASA to the pfSense network over the VPN tunnel.  In fact, I changed both ends (ASA and pfSense) to 1400 and could not get an scp (secure copy) from the ASA side to the pfSense side.  This seems very strange to me.  I had to change the ASA side back to 1500 to get traffic running again.

    Does this ring a bell?  Is this a known behavior?

  • Rebel Alliance Developer Netgate

    Sounds familiar, but sadly I don't recall the specifics offhand. You may need to do a packet capture on the IPsec interface and look at it in wireshark to get a better idea of what is happening.

  • Thanks Jim.  Let me see what I can find…

  • Just to follow-up on this…

    Turns out, the internet link was 10M/768K instead of 4M/4M.  So, pfSense and the Cisco ASA were working exactly as they should worked.

    Thanks again Jim for all the help/pointers...

Log in to reply